Roger Pettett > Bio-Das-ProServer > Bio::Das::ProServer::Authenticator::http

Download:
Bio-Das-ProServer-2.20.tar.gz

Dependencies

Annotate this POD

CPAN RT

Open  0
View/Report Bugs
Module Version: 688   Source  

NAME ^

Bio::Das::ProServer::Authenticator::http - authenticates DAS requests by issuing requests to a remote authority

VERSION ^

$LastChangedRevision: 688 $

SYNOPSIS ^

To authenticate a request:

  my $auth = Bio::Das::ProServer::Authenticator::http->new({
    'config' => {
                 'authurl'     => 'http://my.example.com/is_root?query=%token',
                },
  });
  
  my $allow = $auth->authenticate({
    'peer_addr' => $, # packed
    'request'   => $, # HTTP::Request object
    'cgi'       => $, # CGI object
    ...
  });

DESCRIPTION ^

Authenticates DAS requests by connecting to a remote authentication HTTP server. An authentication token is parsed from the DAS request. By default this should be in an 'Authorization' header, but the authenticator can be configured to look in a cookie, CGI parameter or a header with a different name.

The authentication token is referred to a remote server to ask a yes/no question (e.g. "Is this user in a certain group of users?"). The server, for which the URL is configurable, should return a status code of either 200 (OK) or a denial response that will be forwarded to the client. For example if the remote wishes to deny the request, it could respond with a status code of 403, textual content for explanation and any necessary custom headers.

Authentication results are cached for 30 minutes in order to minimise the number of requests issued to the remote server. Internal Server Error responses (code 500) are not cached.

This module may be easily overridden to parse the authentication token in different ways.

SUBROUTINES/METHODS ^

authenticate : Applies authentication to a request.

  Requires: a hash reference containing details of the DAS request
  Returns:  either nothing (allow) or a HTTP::Response (deny)

  my $allow = $oAuth->authenticate({
    'peer_addr' => $, # packed
    'request'   => $, # HTTP::Request object
    'cgi'       => $, # CGI object
    ...
  });

  The method follows this procedure:
  1. Parse an authentication token from the DAS request (parse_token method).
  2. Check for cached results for this token.
  3. If not found, query the remote server.
  4. Store the response in the cache, unless it is a server error (500)
  4. If the response code is 200 allow the request, otherwise deny.

parse_token : Parses the DAS request to extract an authentication token

  Requires: a hash reference containing details of the DAS request
  Returns:  a string authentication token

  my $token = $oAuth->parse_token({
    'peer_addr' => $, # packed
    'request'   => $, # HTTP::Request object
    'cgi'       => $, # CGI object
    ...
  });

  Depending on configuration, the authentication token is extracted from:
  1. a named cookie
  2. a named CGI parameter
  3. a named request header
  4. the 'Authorization' request header (default)

This method may be overridden to extract the token in a different manner.

DIAGNOSTICS ^

  my $auth = Bio::Das::ProServer::Authenticator::http->new({
    ...
    'debug'  => 1,
  });

CONFIGURATION AND ENVIRONMENT ^

The URL to use for remote authentication is configured in the source INI section. Any instances of "%token" will be replaced by the value of the authentication token parsed from the DAS request.

  [mysource]
  authenticator = http
  authurl       = http://auth.example.com/is_allowed?query=%token
  ; Optionally define location of auth token (default is 'Authorization' header)
  ; authcookie    = cookiename
  ; authheader    = headername
  ; authparam     = cgiparamname

An HTTP proxy may be specified in the shell environment.

DEPENDENCIES ^

Carp
Bio::Das::ProServer::Authenticator
LWP::UserAgent

BUGS AND LIMITATIONS ^

This authenticator implementation may only be used to ask yes/no questions, such as "does this token identify a user with sufficient privileges?". Questions such as "which user does this token identify?" have additional security implications and are therefore not supported.

INCOMPATIBILITIES ^

None reported.

AUTHOR ^

Andy Jenkinson <andy.jenkinson@ebi.ac.uk>

LICENSE AND COPYRIGHT ^

Copyright (c) 2008 EMBL-EBI

syntax highlighting: